With the compliance deadline looming, it’s more important than ever to understand the GDPR and what your organisation needs to do to comply.

Key changes introduced by the GDPR

The GDPR introduces a number of key changes, and with organisations facing tough penalties for non-compliance it’s vital that you are aware of the new obligations so you can prepare accordingly:

The appointment of a data protection officer (DPO) will be mandatory for certain organisations

Article 35 states that DPOs must be appointed for all public authorities. In addition, a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”.

The rules of valid consent have changed

The consent document should be laid out in simple terms. Silence or inactivity does not constitute consent; clear and affirmative consent to the processing of private data must be provided.

Parental consent will also be required for the processing of personal data of children under the age of 16. EU member states may lower the age requiring parental consent to 13 and Ireland has already announced that it will set the digital age of consent to 13.

Restrictions on international data transfers

Organisations need to be aware of the risk of transferring data to countries that are not part of the EU. Non-EU controllers may need to appoint representatives in the EU.

Data processors will have direct legal obligations and responsibilities

Processors can be held liable for data breaches. Contractual arrangements will need to be updated, and stipulating responsibilities and liabilities between the controller and processor will be an imperative requirement in future agreements. Parties will need to document their data responsibilities even more clearly, and the increased risk levels may affect service costs.

A risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers will be required to conduct DPIAs where privacy breach risks are high to analyse and minimise the risks to their data subjects.

An essential first step for completing a DPIA is to map your organisation’s data and information flows (data mapping).

Clear and comprehensive guidance on GDPR compliance

There are a number of other key changes that will be introduced by the GDPR in May 2018 and it is important not to underestimate the length of time it will take to dismantle, rebuild, adjust or amend your current data protection system.